[1.18] feat: Add Match Conditions to the validation webhook

[davidjumani]

Description

Backport of #10554

Adds support for match conditions (defined via Common Expression Language (CEL)) to the validating webhook to allow fine grained request filtering. They can be set via two new helm values :

• gateway.validation.matchConditions on the Gloo webhook
• gateway.validation.kubeCoreMatchConditions on the Kube webhook

API changes

Added the following helm values :

• gateway.validation.matchConditions
• gateway.validation.kubeCoreMatchConditions

Context

This feature is useful when the webhook failure policy needs to be Fail but excludes certain resources from validation so an unreachable gloo pod does not block resource deletion
Eg: The user wants to exclude validation of secrets or resources with the foo label :

    kubeCoreMatchConditions:
    - name: 'not-a-secret-or-secret-with-foo-label-key'
       expression: 'request.resource.resource != "secrets" || ("labels" in oldObject.metadata && "foo" in oldObject.metadata.labels)'

Testing steps

Added kubernetes e2e tests

  Gloo was successfully uninstalled.
--- PASS: TestValidationStrict (301.96s)
    --- PASS: TestValidationStrict/ValidationSplitWebhook (223.71s)
        --- PASS: TestValidationStrict/ValidationSplitWebhook/TestGlooFailurePolicyMatchConditions (85.60s)
        --- PASS: TestValidationStrict/ValidationSplitWebhook/TestKubeFailurePolicyMatchConditions (138.07s)
PASS

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[solo-changelog-bot]

Issues linked to changelog:
kgateway-dev#9828